How I passed OSCP+ in two months

0xKhaled
7 min readNov 17, 2024

--

In this blog, I will share my exam journey, starting from the first day, till passing the exam. DISCLAIMER!! Don’t miss the tips and tricks listed at the end of this blog, you will never find them elsewhere!!

The resources I used to pass OSCP exam are the following:

  • PEN-200 course.
  • All challenge labs except Skylark.
  • 30 PG machines from the Tjnull list.
  • THIS playlist is a must for AD: Derron C
  • No need to mention how Ippsec videos are awesome. This guy is literally a genius. Try to watch as much as you can so you can absorb his methodology. TAKE NOTES!
  • I found this Youtube channel PinkDraconian is really awesome. He shares short videos unlike Ippsec so you can watch them while you are having lunch :) Also I recommend watching Siren’s playlist, High quality stuff to build your methodology with Linux machines.

I was studying full-time, nearly 10–15 hours a day! So the duration depends on your time availability first and dedication second.

Also, I need to mention that before attempting this exam I was already a PNPT holder which I really recommend their 5 courses especially PEH, Windows/Linux Priv Esc.

Exam Day

I started my exam at 12 PM after getting a solid 10 hours of sleep the previous night. I began by enumerating the AD set, but after two hours, I hadn’t made any progress. Then, I received a message from the support team that they would be patching the AD environment and advised me to move on to other machines. To compensate, they extended the exam by three hours, so I had a total of 27 hours — yes, yeah exactly my OSCP exam was a 27-hour!

I switched to standalone machines, launched a full Nmap scan, and started directory/sub-directory/file/Vhost busting on any open HTTP/s ports. I took a break while the scans were running. Returning to the first standalone, I found it really easy at first, though it was full of rabbit holes for initial access. After two hours, I achieved local access, and within another 30 minutes, I escalated to a privileged user.

Then I returned to the AD set and re-did my enumeration with renewed optimism. Sure enough, I discovered something I had previously missed — how did I not notice that before? I gained access to the first machine in the AD set, completed my post-exploitation steps, and then pivoted to the internal network.

My tip for pivoting: Learn everything about port forwarding, and MASTER Ligolo — it’s a game changer. After some digging, I achieved system-level privileges on the second machine in the AD set.

At this point, I turned my full attention to the DC. I ran BloodHound to enumerate the DC and analyze potential attack vectors. Fortunately, I found a promising path to Domain Admin privileges. I took a short break, reevaluated my enumeration process, and then resumed. Finally, I found the missing link! At that moment, I truly felt like a hacker — even though I wasn’t wearing a black hoodie. I fully owned the domain and created a new Domain Admin account named “iWillNotBeHere4Ever” just to show off. I then completed post-exploitation tasks and house cleaning process was taken in consideration too.

With the DC compromised and a fully rooted machine, I had 60 points — just 10 more to pass. I had four hours left but was utterly exhausted because I hadn’t slept at all since starting the exam. I know, not the best idea, but I just can’t sleep until the job is done.

With the encouragement of family and friends, I pushed myself to get an initial foothold on another standalone. With only 20 minutes left, I found a potential privilege escalation path, but time ran out before I could fully exploit it, maybe next time. Now it’s time to write the report.

My tips for increasing your chance to pass:

1. Don’t rely on a tool, build a methodology instead. Practicing 2 different tools to get the same output is something that would save you valuable time during the tight exam duration, you don’t have time to troubleshoot stuff. One example of that is to master both Mimikatz and Secretsdump tools to extract hashes and logonpasswords.

2. Ligolo is 95% all that you need for pivoting on the exam! Master this tool. Make sure to set up a route to the internal subnet, add a listener to transfer files and another listener to get a reverse shell to your Kali machine.

3. Your notes will determine whether you will pass the exam or not!! It is so important to spend a lot of time organizing your notes and add many details because we all forget stuff.

4. Have 2 separate clean VMs for the exam. One instance of my VMs suddenly gave me errors when using impacket tools, I quickly switched to the other VM and avoided countless hours of troubleshooting.

5. For AD, make sure when a machine is pwn3d, and you have NT AUTHORITY\SYSTEM privilege, to change the password of the Administrator account and activate RDP so you can easily access it without repeating the steps of your attack. This saved me time during the exam. One of the secrets I can give you is this one-liner command to activate RDP:

netexec smb $IP -u administrator -p pass123 -M rdp -o ACTION=enable

Thank me later :)

6. I have used 4 tabs in my Kali machine. One for AD and others for each Standalone machines. This will make you organize your work, increase your productivity and multitask.

7. Use Aliases for commands that you use a lot. I have created a bunch of aliases to speed up my work. One example of that is I can simply write ‘ligolo $internalSubnetIP’ and a route will be established in a second. Just make sure when you write your exam report to write the original commands, just to be safe.

8. Zoom out when you feel stuck. Taking breaks when you feel stuck might be the solution to root a machine in minutes.

9. Don’t rely on automated tools like BEAS tools to priv esc. Always let these tools run on the background and start your manual enumeration process and you will be amazed at how many things you discover before the scan finishes. Sometimes these tools don’t generate things that might be exploitable, while you can easily spot what can be exploitable using a simple enumeration strategy.

10. Don’t overthink it. As a wise person on Reddit mentioned “The secret is to enumerate thoroughly and exploit
simply.”

11. Don’t get distracted by many resources to practice for OSCP. I only recommend the following: Course challenges, Lab challenges and PG if you have more time.

12. Keep this methodology in your mind; Enumerate -> Enumerate -> Exploit -> Enumerate -> Get Creds/hashes -> crackmapexec -> Lateral Movement and repeat…

13. When you get creds, make sure to spray the password for all domain users, you might get another pair of creds. another trick with creds, use nxc with different services. I always check these creds with SMB, Winrm, RDP and Mssql. You never know where you will grant access.

14. Wanna priv esc and found “SeImpersonatePrivilege” enabled? Don’t get confused with many potatos, stick with GodPotato, it’s not gonna fail you ever.

15. Got a shell? Create a nested shell immediately! Creating a nested shell will make you avoid re-running the exploit again to get it again. Some exploits can’t be run more than one time because they break the machine, and a revert must be done. So just make it simple and save time by just creating a nested shell.

16. Don’t only rely only on TCP ports, check UDP ones too! Remember what I told you about enumeration? OK
It’s not common to see vulnerable UDP ports, but what if you where in a case that port 161 was open and you didn’t know about it? You missed a lot of stuff which can be found there!

17. For post-exploitation on AD set, make sure to have a look EVERYWHERE!! From PowerShell history files, mimikatz password dump, git logs and even just simply cd into the administrator desktop/ documents / downloads folders, there can be a wealth of information that contains credentials for lateral movement.

18. Please do use a — local-auth flag while running nxe, as there are two different types of administrators. Local and domain. You may not get any valid plus sign if you’re just spraying without that flag. And you might get in easily using it.

19.

Keep learning..

--

--